Saturday, April 25, 2009

Spanning Tree - portfast, bpduguard, bpdufilter

I use the above diagram to illustrate the interaction between the spanning tree features: portfast, bpdufilter and bpduguard.

For a long time whilst i understood the purpose of these features i did not understand how in particular bpdufilter and bpduguard interacted with each other.I have at last resolved this confusion by running a wire capture to see for myself exactly what is going on.

First the basicsportfast - moves a port immediately to the forwarding statebpdufilter - stops a port sending bpdusbpduguard - error disables a port if bpdus are received

1) config-if#spanning-tree portfast

Enabling portfast the port moves to forwarding state and from the capture i can see BPDUs still being sent.

2) config-if#spanning-tree portfastconfig-if#spanning-tree bpdufilter

I enable bpdufilter and BPDUS are no longer sent.

3)config-if#spanning-tree portfastconfig-if#spanning-tree bpduguard

I enable bpduguard and can see bpdus being sent. I was somewhat surprised by this as i had always treated bpduguard as a more severe version of bpdufilter. i.e. no bpdus sent with the guard feature set - Wrong!!

The enlightening moment for me was the realisation that to enforce no bpdus are sent and bpduguard is on perhaps requires bpdufilter to be enabled alongside bpduguard.

With the above commands i observed no bpdus being sent. I had previously assumed these features were mutually exclusive. They are not, they perform different functions and can be used alongside each other.

To observe bpdu guard in action i connected the port to another switchport that was sending bpdus.